Alibaba Cloud offers you a variety of system policies. The policies only provide coarse-grained access control, for example, all permissions or the read-only permission of a specific cloud product.

If you have finer-grained authorization requirements, for example, you want user bob to only read objects from the oss://samplebucket/bob/ directory through an office network, you can create custom policies for access control. (You can search for "My IP address" in a search engine to obtain the IP address of your office network.)


You understand the basic structure and syntax of a policy. For more information, see Policy language syntax.

RAM supports authorization at a finest granularity of API. That is, you can grant each operation permission in a policy by calling a specific API. Make sure that you understand the authorization granularity and methods supported by RAM. For more information, see Cloud services supporting RAM.


  1. Log on to the RAM Console.
  2. Choose Permissions > Policies.
    Note In the Policies pane, choose System Policy or Custom Policy from the Policy Type drop-down list to view the existing policies. You can only view system policies but can modify custom policies as needed.
  3. Click Create Policy.
  4. In the displayed dialog box, enter Policy Name. You can also choose to enter Note.
  5. Select Visualized or Script for Configuration Mode.
    • If you select Visualized, click Add Statement. In the displayed dialog box, set the permission effect, action, and resource.
    • If you select Script, edit the script. For details, see Policy structure and syntax.

What to do next

Grant user bob the created policy. Then, bob has the read-only permission for the objects in the oss://samplebucket/bob/ directory only when user bob access RAM through an office network (for example, with an IP address of

Authorize a RAM user with a policy. For details, see Authorize RAM users.